Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 How should qualified trust service providers handle revocation under ETSI EN 319 411-2

A standalone answer for qualified trust service teams translating ETSI EN 319 411-2 revocation clauses into CPS procedures, status publication, and audit evidence.

Grounded in external standards and official source URLs. Use it as implementation guidance, not for legal interpretation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: under ETSI EN 319 411-2, a qualified trust service provider should treat revocation as a controlled certificate lifecycle process. The CPS needs to say who may request or report revocation, how requests are authenticated, when status changes are published, and how CRL or OCSP status remains available to relying parties.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What should revocation procedures cover?

ETSI EN 319 411-2 makes the EN 319 411-1 revocation request controls applicable to qualified certificate services. In practice, the QTSP's CPS should define who can submit revocation requests or event reports, how they are submitted, when confirmation is required, what reasons can lead to suspension or revocation, and which mechanism distributes revocation status information.

The timing control is concrete: the actual certificate status change must be available to relying parties no later than 24 hours after receipt of the revocation or suspension request. If confirmation cannot be completed within that window, the CPS needs an exception procedure and the QTSP must record the actions taken and justification.

  • Authenticate each revocation request or event report and check that it comes from an authorized source before changing certificate status.
  • Process revocation requests and revocation-related event reports on receipt, with UTC-synchronized time used for the revocation service.
  • Apply the 24-hour maximum delay to every revocation status method in use when both CRL and OCSP can lag.
Citations
Question 2

What evidence should support revocation under ETSI EN 319 411-2?

Evidence should show that the QTSP can receive, authenticate, decide, publish, and preserve revocation status consistently for the qualified certificate profiles it issues. The useful audit trail is not a generic owner list; it is the sequence from request or event report through certificate database update and CRL or OCSP publication.

For revoked or suspended certificates, keep enough records to prove the received request time, authorization check, confirmation or exception path, decision time, status publication time, and notification to the subject or subscriber where possible.

  • CPS extracts covering revocation request submitters, submission channels, confirmation rules, suspension or revocation reasons, CRL or OCSP distribution, and maximum delays.
  • Timestamped revocation tickets or logs showing receipt, authorization, confirmation status, decision, certificate database update, CRL or OCSP publication, and any 24-hour exception justification.
  • Status-service evidence showing 24/7 availability, integrity and authenticity protections, consistent updates across CRL and OCSP when both are used, and public international availability.
Citations
Recommended next step

Operationalize qualified-certificate revocation controls

Use this ETSI EN 319 411-2 guidance to align CPS text, revocation tickets, certificate database updates, and CRL or OCSP status evidence.

Assessment workflow
Turn the answer into controls

Convert the guidance into accountable tasks, evidence requests, and review milestones.

Explore next step
Research workflow
Ask a scoped follow-up

Use cited research support when scope, source interpretation, or evidence ownership is unclear.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Question 3

What checklist should teams use for revocation under ETSI EN 319 411-2?

Use a checklist that follows the certificate lifecycle clauses rather than a general compliance workflow. The review should prove that revocation requests are controlled, revoked certificates are not reinstated, and relying parties can obtain status information through the published mechanisms.

  • Map each qualified certificate profile in scope to its revocation request process, including authorized submitters, confirmation rules, future-dated requests, emergency reasons, and UTC time source.
  • Verify that non-expired certificates are revoked when they are no longer compliant with the applicable certificate policy, when known changes affect certificate validity, or when the cryptography no longer ensures the binding between subject and public key.
  • Check CRL handling where CRLs are used: publication at least every 24 hours until the last CRL, nextUpdate values, signer, expired revoked certificate handling, and last-CRL preservation.
  • Check OCSP handling where OCSP is used: archive cut-off use for status beyond expiry, last OCSP answers where applicable, and documented interpretation when OCSP and CRL update delays differ.
Citations
Primary sources

References and citations

Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • ETSI EN 319 411-2 maps eIDAS certificate revocation and relying-party status requirements to clauses 6.2.4, 6.3.9, and 6.3.10.
"effective immediately"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.